Blog-Driven Android Malware Discovered

Google's Android mobile phone OS has increasingly become the mobile OS target of choice for malware authors, and recent news from Trend Micro security researchers indicates that malware authors are constantly developing new ways to infect target devices. According to a blog post on the TrendLabs Malware Blog by Threat Response Engineer Karl Dominguez, a new type of Android malware -- called ANDROIDOS_ANSERVERBOT.A -- can be controlled remotely by files uploaded to a blog.

The malware is downloaded as part of a Trojan e-book reader program that is currently available in a variety of third-party Chinese Android app stores. Once the user downloads and installs the app, the malware connects to two separate servers from which it receives additional commands and updated files. Dominguez explains that the first server is a typical site that malware can send and receive information from, but the second server exhibited some characteristics that caught the Trend Micro security team's attention:

The second C&C server, however, caught our attention more. This is a blog site with encrypted content, which based on our research, is the first time Android malware implemented this kind of technique to communicate.

This nasty bit of malware asks for permission to access just about every feature of the Android device during installation, which is a giant red flag that the app isn't what it claims to be. Apps that request access to such a large number of phone features should always be treated with suspicion, and keeping an eye out for apps that do so is one of the most effective Android security tips that Android phone users can follow.

The malware is designed to check additional blogs for updated files and information if a connection to the first server is unavailable, a feature which could obviously be effective if the malware creators need to take down existing servers (or create new ones) in an effort to keep their operations running in the face of authorities trying to shut those servers down. A Trend Micro visual shows how the process works: